What is the legal requirement under the GDPR for a data protection officer or DPO? The General Data Protection Regulation (GDPR) has recently been made law in the European Union. The question is: What are some of its implications for those that either do business in Europe or have dealings with the personal information of European citizens? One answer to that question is that if the GDPR applies to your business, a Data Protection Officer is a key position to think about.
Who is a Data Protection Officer (or DPO)?
Controllers and processors of data, in terms of the GDPR, appoint a Data Protection Officer to help them comply with data protection law. Once appointed, the officer looks into the risks that data processing can expose a business to. The officer helps the business in their attempts to avoid those risks. Basically, the officer is the link between the public (including other businesses that you may work with) and your business, when it comes to the processing of personal information. This means that the public can direct their data protection queries to this officer. The officer will then report directly to management, and must be given all resources necessary to carry out their functions.
Who needs a Data Protection Officer?
The GDPR is very clear on the businesses that require a Data Protection Officer. Businesses that, for example:
- have core operations which include the processing of data through mass systematic and regular monitoring of data subjects; or
- process the special personal information (race, ethnicity, and biometric data) of data subjects on a large scale,
have to appoint a Data Protection Officer.
The GDPR does NOT require every controller and processor to appoint a Data Protection Officer.
A private body does not have to appoint one if:
- its main activities only involve seldom monitoring data subjects and with little infringement on those data subjects’ rights,
- it does not process special personal information at all, or
- is only processing the special personal information of a small group of data subjects.
It is also possible, however, for controllers and processors to come together and appoint one even when not required to do so by the GDPR. But the Article 29 Working Party Guidelines on Data Protection recommend that where it isn’t entirely obvious whether or not they are required to have a Data Protection Officer, the controllers and processors follow and document a step-by-step analysis of why they think they do not have to make the appointment. For the whole discussion from the Article 29 Working Party on Data Protection, read the guidelines they adopted on the 13th of December 2016.